No AAA authentication for switch
I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.
AAA new-model
AAA authentication login default group Ganymede + local
authorization AAA console
AAA authorization exec default group Ganymede + local
radius-server X.X.33.XX host
radius-server key 7?
I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?
Thank you
Robert
Robert,
Please make sure following
-Radius server is accessible from the switch and port 49 is not blocked.
S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)
-Check the secret key
If the problem is still there then please get
Debug aaa authentication
debugging Ganymede
Kind regards
~ JG
Tags: Cisco Security
Similar Questions
-
Hello
I have ben using the AAA command sequence and get my TAC routersauthenticated Server SE 4.2.Now I need to get cisco 3560 and 6513 switches authenticated by the same ACS server, kindly suggest if modifications may be required in orders.
AAA new-model
!
!
AAA authentication login default group Ganymede + local
NO_AUTHEN AAA authentication login no
AAA authorization config-commands
AAA authorization exec default group Ganymede + authenticated if
NO_AUTHOR AAA authorization exec no
AAA authorization commands 1 default group Ganymede + authenticated if
AAA authorization commands 1 NO_AUTHOR no
AAA authorization commands 15 default group Ganymede + authenticated if
AAA authorization commands 15 NO_AUTHOR no
AAA authorization network series none
AAA accounting exec default start-stop Ganymede group.
accounting AAA commands default 15 stop only Ganymede group.
!
AAA - the id of the joint session
Thank you
Hello Anubhav,
Configuration seems fine.
You need to set radius server as below
RADIUS-server host x.x.x.x (where x.x.x.x is authetication radius server)
RADIUS-server key (shared key used between AEC and device)
You may also use order form below if you have several L3 interface on your device to specify which interface would be to use the RADIUS traffic.
property intellectual Ganymede source x.x.x.x interface (this should the interface you have on your GBA as a aaa client)
Hope that helps.
Concerning
Najaf
Please rate when there is place or useful!
-
AAA authentication for external router through PIX 515
I have been in vain, to get the authentication AAA works to my external router, through the PIX.
When I connect the router directly within that network (bypassing the PIX) AAA works fine, so I know the configuration of the AAA works between the router and the ACS server.
Initially, I got the PIX configured with a static map between a global external address 192.x.x.12 and a 10.200.1.187 for the ACS server local address, but that didn't work either. So, currently I am using NAT exemption for the ACS server, but it does not work either.
If I activate the debug on the PIX package, I see the ACS authentication request and response between the router and GBA when I try to connect to the router, but it is not successful. After the three way TCP handshake, the router repeats it is last receipt, and then the ACS asked an RST.
The attached diagram shows the simple connection that I'm trying to create.
The configuration of the PIX is also attached. (too large messages size):
Thanks in advance for your help. I tried EAC for two days and have not found solutions that look like this.
Ron Buchalski
What to do is:
1 PIX:
-static map the ACS/GANYMEDE to a public IP address
static (inside, outside) x.x.x.10 10.1.1.25 netmask 255.255.255.255
-otherwise, if you have enough public IP, use the port forwarding for card IP ACS to PIX outside IP of the interface, IE x.x.x.2, via a specific TCP 49:
public static tcp (indoor, outdoor) interface 49 10.1.1.25 49 netmask 255.255.255.255
* allow ACS talk to external router via public IP
Create/add entry for ACL applied to the outside interface to allow the GANYMEDE Protocol + switch router external to the ACS:
access outside permit tcp host XXX1 host x.x.x.10 eq 49 list (Ganymede + use tcp 49)
outside access-group in external interface
* x.x.x.1 = outside the router
2 ACS
-Add the outside router IP (FastEthernet face PIX outside interface) interface as a client of the AAA
-Making of course secret key is identical at ACS and router
3. the outside router
-Add the ACS as radius-server using its IP public, as mapped in PIX which is x.x.x.10.
-check the key AAA statement is accurate.
The test without saving the config is outside the router. Save ok once confirmed.
I have similar facility before, and it worked very well.
Pls note all useful message (s)
AK
-
RADIUS authentication for the switch using ISE
Hi guys,.
Someone did he do Radius Authentication for switch cli connection using ISE?
We did it in our environment with ISE, but it is a challenge to give read-only access / Priv-1.
If some users know the enable password, they can use and earn full privilege.
Anyway to get around this other than to change the enable password?
We have thousands of switches and won't change on each of them.
If you have another method please advice.
Thank you in advance.
Well, you can set the "enable" function also be controlled via the AAA server with the following command:
AAA authentication enable... This way server AAA will be checked for authentication for the secret to activate and use the local database as a last resort
I hope this helps!
Thank you for evaluating useful messages!
-
Test command of the AAA for EAP - TLS authentication for wireless users
Hi all
Can anyone suggest me the test command to verify the eap - tls authentication for the Cisco WAP's wireless.
If it's an authetication jump we can use the command to test the connection below
Radius of group aaa Testwap-01 #test [email protected] / * / o4 & yJ) NoL$ new-code %0
Trying to authenticate with the server radius group
User successfully authenticatedBut eap - tls is not delivered with the password. He insists that for the user name.
We strive for remote location then test remotely before production.
If someone help pls in that if we have a command to test or debug command to test this authentication.
EAP - TLS requires a client certificate. How can you have a simple command that analysis without loading any certificate on the router/switch? It does not exist. This is why eap - tls is not considered an easy to deploy eap method: because it can go wrong on several levels.
The aaa command test performs a PAP authentication, therefore, it tests the connectivity of the base RADIUS and name of user and password.
If it works, the only thing that can break for eap - tls are certificates, as well as the radius server will be able to tell if something worng.
-
AAA RADIUS authentication for the only user group
Hello
I use ACS3.1 and tries to use authentication radius for all network switches in my company.
Meet the im problem now is how to restrict only a user group to access the connection/exec switches? It seems that all user IDS in my acs able to telnet (user access) to the switch (using their login credentials).
I would like to limit still from telnet by using their ID except administrator group.
Counsel on how this is possible.
TKS!
The GBA, you need admin users in their own ACS group separated, leaving other users in their own group also.
Change the group that contains the users you don't want to give access to and under the heading of restricted access network (OAN), in "Group defined Network Access Restrictions", check the "Define based on IP access restrictions", choose "Rejected the call point" and enter switches in the table below (put a * in the port and address).
This prevents standard users authentication to switches. You can add all your switches in a group of network devices (NDG) to this, then you have to add that, in the section NAR rather than adding each switch individually.
-
The AAA authentication configuration
We have ACS server 3.1 to AAA for authentication for all routers and switches. I want each person to connect the router using its own id, password password and activate. If the ACS server is unavailable, I want to have different id, password and enable password for console and telnet access. What is the right way to do this? I also want to follow all orders entered on the router.
That's what I have:
AAA new-model
AAA authentication login default group Ganymede + local
enable AAA authentication login no_tacacs
the AAA authentication enable default group Ganymede + line
AAA authorization exec default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
username admin password 7 xxxxxxxxxxxxxxxx
!
!
Line con 0
connection of authentication no_tacacs
line to 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
Yes, it's Joy on the right. Thank you, Renault
-
AAA authentication and privilege-mode
I want to configure authentication aaa with accounts of local user on the switch. The idea is to come directly into the "privilege" without the enable command mode.
I have configured the following commands:
AAA new-model
AAA authentication login default local
What other commands (permission) are necessary to obtain the command of privilege?
Thank you
Pascal
Dear Sir
For the console you must issue to order more.
There is a hidden within IOS command you will need to apply: "authorization aaa console.
Who should fix it
Kind regards
~ JG
Note the useful messages
-
AAA authentication problemssss
Hello
When I use commands below aaa and attempt to authenticate, I am able to authenticate with GANYMEDE +, but further then when I do "sh run" I get message "command failed authorization." Please notify.
Test-Switch #sh run
Authorization of command failed.
AAA new-model
AAA authentication login NETWORK_ACCESS group Ganymede + local activate
the AAA authentication enable default group Ganymede + activateAAA authorization exec default group Ganymede + authenticated if
default 15 AAA authorization commands group Ganymede + noneAAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.the String key of the host IP radius-server
line vty 0 4
transport input telnet ssh
authentication of the connection NETWORK_ACCESS
exec-timeout 10BUT as soon I just changed the aaa as configuration below I'm able to run sh run commands as usual without any error.
AAA new-model
AAA authentication login default group Ganymede + local
AAA authentication login no_tacacs local
activate the default AAA authentication no
AAA authentication login default group Ganymede + line
AAA authentication login no_tacacs line
authorization AAA console
AAA authorization exec default group Ganymede + local authenticated by FIS
AAA authorization exec default group Ganymede + authenticated if
AAA authorization exec local no_tacacs authenticated by FIS
AAA authorization commands 0 no_tacacs no
AAA authorization commands 1 no_tacacs no
AAA authorization commands 15 no_tacacs no
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
AAA - the id of the joint session
Please advise, thank you. its urgent
To approach the issue from a slightly different angle - your original set of commands instruct the router to send the application for leave to GANYMEDE for each command to level 15, which includes see the race. Your GANYMEDE server was not configured to allow your use to see the race and if your attempt to show performance was rejected.
Your revised set of orders doesn't send application to GANYMEDE for level 15 commands (or other classes of orders by the way) and so there is no question here to see the race.
As far as I can say that your revised set of orders do not permit for orders. You can achieve this result just as easily (and with fewer complications in your configuration) If you delete just aaa authorization command from your config lines.
HTH
Rick
-
GANYMEDE + Queueing AAA authentication
Hello
I've recently updated the IOS on my 3560 X 15.0 (2) SE3 and I can't get GANYMEDE works correctly. It worked properly on this device until I updated the IOS so I don't know what happened. I've made a few other changes as well (management IP change and clean the other config) so I'm not 100% sure what the issue was with the IOS. I have this same exact config on several other Cisco devices and it works fine. Any thoughts are appreciated.
Config:
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
Ganymede IP source interface Vlan1
radius-server host
Ganymede IP source interface Vlan1
GANYMEDE-server host 10.x.x.x key *.Debugs:
MORE: Queuing request authentication AAA 88 for the treatment
I never spent queuing. I can't find a way to clear the queue either.
I have to disable the uplink port and reboot the switch to not even enter the port of the console. At this point, I get 1 authentication attempt (debugging below) before entering the queue messages.
21:34:36.864 Mar 29 CDT: % LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed State to
21:40:48.068 Mar 29 CDT: MORE: Queuing AAA request authentication 47 for the treatment
21:40:48.068 Mar 29 CDT: HIGHER: processing id authentication of demand beginning 47
21:40:48.068 Mar 29 CDT: MORE: authentication start package created for 47(**USERNAME**)
21:40:48.068 Mar 29 CDT: MORE: using the 10.x.x.x server
21:40:48.068 Mar 29 CDT: HIGHER (0000002F) / 0/IDLE/68F4CBC: started 5 sec timeout
21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 0/IDLE/68F4CBC: got immediately connect on the new 0
21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 68F4CBC/WRITING/0: started 5 sec timeout
21:40:48.077 Mar 29 CDT: T +: 192 (0xC0) Version, type 1, seq 1, encryption 1, SC 0
21:40:48.077 Mar 29 CDT: T +: session_id 912650955 (0x3665F2CB), dlen 32 (0x20)
21:40:48.077 Mar 29 CDT: T +: type: AUTHENTIC / START, priv_lvl:1 action: ascii LOGIN
21:40:48.077 Mar 29 CDT: T +: svc:LOGIN user_len:11 port_len:4 (0x4) raddr_len:9 (0 x 9) data_len:0
21:40:48.077 Mar 29 CDT: T +: user: (* USERNAME *)
21:40:48.077 Mar 29 CDT: T +: port: tty1
21:40:48.077 Mar 29 CDT: T +: rem_addr: 10.y.y.y
21:40:48.077 Mar 29 CDT: T +: data:
21:40:48.077 Mar 29 CDT: T +: end of packet
21:40:48.077 Mar 29 CDT: HIGHER (0000002F) / 0/WRITING: write to 10.x.x.x failed with errno 257 ((ENOTCONN))
21:40:48.077 Mar 29 CDT: MORE: authentication start package created for 47(**USERNAME**)
21:40:48.077 Mar 29 CDT: HIGHER (0000002F): start write failed
21:43:01.976 Mar 29 CDT: % SYS-5-CONFIG_I: configured from console by dcmorris on console
21:43:08.057 Mar 29 CDT: MORE: Queuing AAA request authentication 48 for the treatment
21:45:24.842 Mar 29 CDT: MORE: Queuing AAA request authentication 49 for the treatment
21:48:52.494 Mar 29 CDT: MORE: Queuing AAA asks 50 for processing authentication
You might want to take a look here
https://supportforums.Cisco.com/message/3965551#3965551
Jatin kone
-Does the rate of useful messages-
-
We have following commands configured on the 2950
AAA new-model
AAA authentication login default local radius group
the AAA authentication enable default
RADIUS group AAA authorization exec default authenticated if
localuser username secret 5 *.
When you try to access the switch it's mark to the RADIUS server, but it is not authenticated.
And then he gets authenticated with the local user name.
Here is the log of the RADIUS server
It shows the correct user name and correct the source of the switch IP address.
Authentication provider = Windows
Authentication server =
Policy-Name =
Authentication type PAP =
EAP-Type =
Code motif = 16
Reason = authentication was not successful because an unknown user or bad password name has been used.
In principle it was expected that as long as the switch is able to connect to the RADIUS server, it will not use the local username for authentication.
But the switch uses the local username even if he can contact the RADIUS service.
Please share the experience.
Thank you
Subodh
Hello
Indeed, I've recreated the issue when authenticating against a RAQ. My switch is running a newer version, however, it always reports the error of decryption on newspapers when the shared secret is incorrect. Shared secret configured as "cisco" on the switch and as "cisco123" relating to the registration of the IAS RADIUS client. Got the following text:
Priv15 of the user has been denied access.
Fully-qualified-user name = CAMEJIA\priv15
NAS-IP-Address = x.x.250.12
NAS-identify =
Station called = identifier
Calling-Station-identifier =
Client-Friendly-Name = x.x.250.12
Client-IP-Address = x.x.250.12
NAS-Port-Type = Async
NAS-Port =
Proxy-policy-Name = use Windows authentication for all users
Authentication provider = Windows
Authentication server =
Policy-Name =
Authentication type PAP =
EAP-Type =
Code motif = 16
Reason = authentication was not successful because an unknown user or bad password name has been used.
On the debugging switch:
* 06:02:13.600 Mar 2: RADIUS: receipt id 1645/6 x.x.250.20:1645, Access-Reject, len 20
* 06:02:13.600 Mar 2: RADIUS: 24 84 60 FA B8 43 3rd A9 authenticator - AC 55 72 70 CE 34 BA 70
* 06:02:13.600 Mar 2: RADIUS: authenticator response decrypt fault, len 20 pak
* 06:02:13.600 Mar 2: RADIUS: package dump: 03060014248460FAB8433EA9AC557270CE34BA70
* 06:02:13.600 Mar 2: RADIUS: digest expected: D22363698E8862015AC91213B540D77C
* 06:02:13.600 Mar 2: RADIUS: authentic response: 248460FAB8433EA9AC557270CE34BA70
* 06:02:13.600 Mar 2: RADIUS: ask authentic: 32B4A229A7EB982A61EB31E29A24AA47
* 06:02:13.600 Mar 2: RADIUS: response (6) could not decipher
Please, create a new RADIUS client for the switch only and use a single key as "cisco" on both sides. Do not forget that we should not hit the space bar when you configure the key on the IOS since it will space as a valid shared key figure.
I hope this helps.
Kind regards.
-
I have configured the banner authentication aaa and aaa fail message on a router running 12.1 (15) - authentication is done by ACS 3.0.2 which works very well.
Problem - the banner of authentication does not appear (nothing is outside of "username:"-don't not even 'check' user access) If you enter a wrong password, but the failure message. If I console in and unplug the interface while the two messages very well.
Workaround solution - if I set up a connection "banner" then everything works fine too, but I can't work out why does not display the "banner of aaa authentication."
I suspect ACS prevents the message, but I can't work out how - can anyone suggest a solution?
Thank you very much!
By the way that the command "radius-server administration '? It doesn't seem to be documented, and it has no effect or not.
The banner command does not work if you make the RADIUS authentication, it will not work if you do a RADIUS/local/etc. This is normal, cause with Ganymede you can have the sending server banner and guests down (even if with all I don't think that you can do) and so if you have configured authentication GANYMEDE the router does not take into account the banner command and waits to see if she gets a new one from the server RADIUS itself. If it is not it will simply display the usual guests.
As for the 'radius-server admin' command, honestly, I have no idea, never seen anyone use. Online help says "start the daemon of Ganymede management administrative messages", but what really I don't know, maybe someone else can help.
-
AAA authentication in Cisco router
I want to create the user name and password with the level of prévilige for each user in the Cisco 3640 router. I don't have any authentication server, and I want to use the local database of the Cisco router to do this. Can someone suggest me how should I proceed.
Thanks in advance
Hello
If you want to create users in the local database of the router, you must use the following command
username cisco password privilege 5 test
AAA new-model
AAA authentic login default local
AAA exec default local author
Thank you
Sujit
-
http using aaa authentication when Ganymede server is down
I installed AAA using Ganymede and everything works well except for authentication http through a browser or a network Assistant when the RADIUS server is down. For console and telnet connections, the default authentication line when Ganymede is out of service.
AAA new-model
AAA authentication login default group Ganymede + line
AAA authorization exec default group Ganymede + authenticated if
AAA accounting update newinfo
AAA accounting exec default start-stop Ganymede group.
only AAA 0 default stop accounting controls group Ganymede +.
only AAA 1 default stop accounting controls group Ganymede +.
accounting AAA commands default 15 stop only Ganymede group.
!
aaa IP http authentication
!
radius-server host 10.161.161.20
111111 radius-server key
It must be something with the fact that on http or ANC, it connects to the router at level 15, but I have played with all sorts of orders of different authorization and cannot operate.
Paul
What you want to do for authentication if the RADIUS server is down? For telnet and console access you can use the line as a backup method because it is possible to configure a password for the line on the console and vty ports. Which type of backup method you want for HTTP? The one that seems most logical to me would be to a local authentication in order to cover the situation where the server is down.
To use local authentication, you must do the following:
-create a definition of the local user (maybe more if you need extended security).
-specify a special method for authentication of the aaa.
-specify that http, using the special method.
The configuration might look like this:
password user tech1 tech1
AAA authentication login http_auth group Ganymede + local
IP http authentication aaa - authentication of the connection http_auth
Or you can decide to use the secret to activate (or password that is configured in office). The config might look like this:
AAA authentication login http_auth group Ganymede + activate
IP http authentication aaa - authentication of the connection http_auth
If you want a different backup method, let us know what it is and we'll see how it could be implemented.
HTH
Rick
-
Disable authentication for reverse Telnet over Async lines
I have a 2811 which behaves as a server terminal server with several line async being used to access the console. Whenever I open a telnet reversed on one lines always make me touching up for my credentials. Is there a way to eliminate the requirement of authentication, but only on the async for telnet lines reversed? I can disable in the world (which is not good) and I tried to enter "no authentication connection" under the respective lines async - but still, I wonder. Any thoughts? My current global and line config:
AAA new-model
AAA authentication login default local-case
authorization AAA console
AAA authorization exec default local
!line 1/0 1 / 15
session-timeout 30
exec-timeout 30 0
No exec
transport telnet entryI have not tried, but try something like below (which requires the aaa new-model):
aaa authentication login no-auth noneline 1/0 1/15 login authentication no-auth
Maybe you are looking for
-
How to prevent the download of the images (when the internet connection is bad)
In ancient times, it was possible to download only the text, no images, in order to speed up downloading of Web pages. Now I can't find the 'switch' to do this. My problem is that sometimes - when I'm on the (German) campaign - internet connection is
-
Satellite A200 - PSAE6 U27 - cannot install Win XP - No HDD
Information for us:I have Toshiba Satellite A200 - U27 (PSAE6) with Vista 32 bit HELO, I need help! What should I do with my Vista?I'm not entirely remove this system and install XP Profesional, but I can't because I when I try to install XP pops up
-
Updates of 04/14/10 Windows messed adaptation files to external drives
After getting several updates on 14/04/10 to my Vista Business Edition at work, I can't copy external files to one of my hard drives. Simply, he's sitting there at 0% and does not copy. I tried to restart and insertion of 2 different USB usb keys and
-
Vista 64-bit update to quit w0rking
Windows update fails with error Code 80070424 and the help associated with this error menu does not help. He Charleston quit so certain download Microsoft did it. I have no new request.
-
help! on the backup of data
I used 8 win not for long. Now, I realize it is important to back up my data as soon as possible.I'm lazy and I want just one click to return to the top.Can someone help me?But y at - it such a thing at all?help please.thanks.